Use of consumer information
Consent to the collection and use of personal information
- A provider of information and communications services shall, whenever it intends to collect the personal information of a user and use it for a given purpose, notify the user of the following matters and obtain the consent of the user. The same shall apply in cases where it intends to change any of the following matters (Article 39-3(1) of the 「Personal Information Protection Act」):
· The purposes of its collection and use of the user's personal information.
· The items of the user's personal information that it intends to collect.
· The period of time during which it intends to retain, possess, and use the user's personal information.
- A provider of information and communications services may collect and use the personal information of a user without obtaining the user's consent in any of the following cases (Article 39-3(2) of the 「Personal Information Protection Act」):
· In the event that collection of the user's personal information is necessary to performing the contract on the provision of information and communications services, but where it is obviously difficult to obtain the user's consent in the ordinary way due to economic or technical reasons.
· In the event that it is necessary to settling the payment of charges for the information and communication services rendered.
· In the event that a specific provision in other Acts requires otherwise.
- Punishment for violation
· A person who collects a user's personal information without the consent of the user shall be punished by imprisonment with prison labor for not more than
5 years or by a fine not exceeding 50 million Won (Subparagraph
4-5 of Article 71 of the 「Personal Information Protection Act」).
※ Prohibition of the use of resident registration numbers
· Other than the cases falling under any of the following, a provider of information and communications services may not collect and use its users’ resident registration numbers (Article 23-2(1) of the 「Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.」):
√ In cases where the provider is designated as the identification service agency.
√ When a telecommunications service provider who receives and resells mobile communication services from a key communication service provider collects and uses the user's resident registration number in connection with the identification of the mobile communication service provider designated as the identity verification agency
· A provider of information and communications services shall provide a method (alternative means) of identification without using its users' resident identification numbers (Article 23-2(2) of the 「Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.」).
Transfer of personal information
- In cases where a provider of information and communications services transfers the personal information of its users to a third party due to a transfer of business, in whole or in part, merger, or any similar cause, it shall notify the users of the following matters in writing, e-mail, fax, phone, text messaging or equivalent method (Article 27(1) of the 「Personal Information Protection Act」 and Article 29(1) of the Enforcement Decree of the 「Personal Information Protection Act」):
· The fact that the users' personal information is due to be transferred.
· The name (referring to the name of a legal corporation, if the business person or entity in question is a legal corporation), address, and telephone number of the person or entity to whom the personal information is to be transferred, and other contact information of that person or entity.
· The methods and procedures available, in the event that a user does not want his/her personal information to be transferred to a third party.
- Punishment for violation
· A person or entity that violates the foregoing shall be punished by a fine not exceeding 10 million Won (Subparagraph 6 of Article 75(4) of the 「Personal Information Protection Act」).
Withdrawal of consent to the collection, use, and provision of personal information
- The users of online shopping malls may withdraw at any time the consent they have given to an information and communications service provider to collect, use and provide to another party their personal information (Article 39-7(1) of the 「Personal Information Protection Act」).
- Thus, information and communications service providers shall ensure that the procedure for the users’ withdrawal of their consent is easier than the procedure for obtaining their consent to the collection and use of their personal information (Article 39-7(2) of the 「Personal Information Protection Act」).
- Punishment for violation
· A person who fails to provide methods of withdrawing consent regarding personal information in violation thereof shall be subject to a fine not exceeding 30 million won (Subparagraph 12-5 of Article 75(2) of the 「Personal Information Protection Act」).
Settlement of personal information-related disputes
Personal Information Dispute Mediation Committee (PICO)
- Application for dispute mediation
· Any person or entity that seeks mediation of a dispute over personal information may address an application for mediation to the PICO (Article 43(1) of the 「Personal Information Protection Act」).
- Preparing a proposed mediation
· When the PICO receives an application for mediation of a dispute, it may present the details thereof to the parties to a case and recommend them to reach an amicable agreement prior to mediation. Where it is deemed necessary to efficiently meditate disputes, the PICO may establish a mediation division composed of not more than five members in each category of mediation cases. The PICO shall examine a case and prepare a proposed mediation within 60 days (this period may be extended, if any unavoidable cause exists.) of the date it receives an application for mediation of a dispute. Upon preparing a proposed mediation, the PICO shall present the proposed mediation to each party without delay (Articles 40(6), 44(1), 46 and 47(2) of the 「Personal Information Protection Act」).
· When the parties to a dispute in receipt of a proposed mediation fail to inform the PICO of their acceptance of the proposed mediation within 15 days of the date on which they receive it, the proposed mediation shall be deemed to have been rejected (Article 47(3) of the 「Personal Information Protection Act」).
- Rejection of application for dispute mediation and suspension of dispute mediation
· If the PICO deems that it is inappropriate to settle a dispute by mediation of the Committee in light of the nature of the dispute or if an application for mediation has been filed for any unjust purpose, it may reject the application for mediation. In such cases, it shall notify the applicant of the grounds for its rejection of the application for mediation and other related matters (Article 48(1) of the 「Personal Information Protection Act」).
· If a party to a dispute files a lawsuit while proceedings of a case filed for mediation are still in progress, the PICO shall suspend the mediation proceedings and notify the parties thereof (Article 48(2) of the 「Personal Information Protection Act」).
- If the parties to a dispute accept a proposed mediation, the PICO shall prepare a letter of mediation, and the chairperson of the PICO and the parties to the dispute shall print their names and affix their seals on the letter of mediation. In this case, the details of mediation shall be as effective as a judicial compromise (Article 47(4) and (5) of the 「Personal Information Protection Act」).
※ Applications to the PICO for dispute mediation may be made at the <Personal Information Dispute Mediation Committee>.
Asking for compensation for loss or damages caused by personal information infringement
- Civil damages liability shall be recognized if the infringement of personal information meets the requirements for damages liability for tort in the 「Civil Act」 (Article 750 of the 「Civil Act」 and the former part of Article 39(1) of the 「Personal Information Protection Act」).
· Here, “damage” includes property and mental damage. Generally, the amount of damage is set through an agreement made by the relevant parties or by the court’s judgment.
- In such cases, a provider of information and communications services or similar entity may not be exempted from liability, unless it proves that there was neither intentional act nor negligence on its part (Article 39(1) of the 「Personal Information Protection Act」).